e1262eb916
- Introduced a new JSON fixture `receipt-input.json` containing base, environmental, and threat metrics for CVSS scoring. - Added corresponding SHA256 hash file `receipt-input.sha256` to ensure integrity of the JSON fixture.
Semgrep baseline
Deterministic baseline runner that executes Semgrep against a single benchmark case and emits a submission payload in the benchmark schema.
Usage
# Run for one case
SEMGREP_SEND_TELEMETRY=0 SEMGREP_ENABLE_VERSION_CHECK=0 \
baselines/semgrep/run_case.sh cases/js/unsafe-eval /tmp/semgrep-out
# Run for all cases under a root
SEMGREP_SEND_TELEMETRY=0 SEMGREP_ENABLE_VERSION_CHECK=0 \
baselines/semgrep/run_all.sh cases /tmp/semgrep-all
Outputs:
- Per-case:
<out>/submission.json - All cases:
<out>/submission.json(merged, deterministic ordering)
Requirements
- Semgrep CLI available on PATH. Tested with
semgrep >= 1.72. Telemetry/version checks must be disabled for offline/deterministic runs. - Python 3.11+ for normalization script.
Determinism posture
- Telemetry/version checks disabled by default via env (see scripts).
- Stable ordering of cases and sinks.
- No network access.
- If Semgrep is missing, runner still produces a valid submission marking all sinks as
unreachable, preserving schema validity.